Virdem
Virus.DOS.Virdem is a parasitic virus on DOS. It was the first file infecting virus on this system, and it appeared almost a year after the distribution of the Pakistani Brain boot sector virus. There are 16 variants in 5 versions, represented by the following: *Virus.DOS.Virdem.463 *Virus.DOS.Virdem.601 *Virus.DOS.Virdem.792 *Virus.DOS.Virdem.1336 *Virus.DOS.Virdem.1542 Behavior When the virus is run, it infects the first uninfected DOS executable file by inserting its code at the beginning of the file and placing the original code to the end of the file. Some variants may infect files located in other directories, but they do not look for the second or their child directories. Virdem.463, 792, 824 and 1336.c and 1542 These variants infect the first uninfected file for each run, they would search for more files in other directories to infect. Virdem.792 does not infect C:\COMMAND.COM, but it would look for drives A: and B:. Virdem.601 and 1336.f These variants look for files in drive D: to infect, if this drive letter is unassigned or is assigned to a read-only media (e.g. CD-ROM drive), they would fail to infect. Virdem.601 would infect C:\COMMAND.COM. Virdem.833 This variant first infects C:\COMMAND.COM, sets a counter starting from 0, and then it infects the first uninfected file. If the total number of infected file is 9 (excluding COMMAND.COM), the virus will no longer infect any files. Virdem.836 This variant only infects files that are located in the root directory (C:), instead of any other directories. Virdem.1336.a, b, e, g and h These variants infect files in floppy disk drive A:, except the first file. Advanced details These are non memory resident viruses. MD5 hash: Payload Virdem.463, 601, 824, 836 and 1336.c These variants do not manifest themselves. Virdem.792 This variant would destroy the file allocation table in A: and B: if there are disks inserted. Virdem.833 When an infected program is run on Monday, the virus displays an ASCII bug at the top of the screen moving from the left to right. Virdem.1336.a, b, e, f, g and h After the virus infects a file, it displays a number guessing game with the following message: VirDem Ver.: 1.06 (Generation #) aktive. Copyright by R.Burger 1986,1987 Phone.: D - 05932/5451 This is a demoprogram for computerviruses. Please put in a number now. If you're right, you'll be able to continue. The number is between 0 and x Where x'' is the generation number of the virus. If the user guesses the wrong number, it displays the message, and the host program will not be run: Sorry, you're wrong More luck at next try If the user guesses right, it displays the message: Famous. You're right. You'll be able to continue. After all possible files have been infected, it displays the message: All your programs are struck by VIRDEM.COM now. For Virdem.1336.b, e, g and h, the texts are displayed in German. Some variants may display different message but with the same meaning. Additionally, Virdem.1336.f may hang the system after the user guessed the right number. Virdem.1542 Except C:\COMMAND.COM, if there is no more files to infect in the entire disk, the virus displays a graphical effect with colorful ASCII art. This is the only variant that would show this graphical effect. Removal Use F-Prot or delete the infected files. Variants This family has 16 variants in total: *Virus.DOS.Virdem.463 *Virus.DOS.Virdem.601 *Virus.DOS.Virdem.792 *Virus.DOS.Virdem.824 *Virus.DOS.Virdem.833 *Virus.DOS.Virdem.836 *Virus.DOS.Virdem.1336 (A to I) *Virus.DOS.Virdem.1542 Other details The author of Virdem, Ralf Burger, is also the author of the book, "Computer Viruses: A High-Tech Disease". He presented the working model of Virdem to the Chaos Computer Club, an underground hacker forum, in Germany. Most of the forum members were interested in the VAX/VMS platform, but they still took interest in the idea of a virus. Burger is quoted as saying about viruses that "used properly may bring about a new generation of self-modifying computer operating systems". Virdem.1136.c has been identified as '''Virdem.Killer', which has slightly different text strings. Variants of this virus were being created as late as 1993, about 6 to 7 years after the original was created. Virdem.463 contains the internal text strings: *.com IRUS Virdem.601 contains the internal text string: *.com Virdem.792, 824, 1336 (A to I) and 1542 contain the internal text strings: *.com ????????exe ????????com The variants of Virdem.1336 also contain the internal text string of the infected filename. Additionally, Virdem.1542 also contains the internal text string: a:\lo*.* References #F-Secure Virus Descriptions: Virdem #Description of Virdem on Online VSUM #The Virus Information Service, Virdem Virus. Jim Bates, June 1990 #List of variants on VX Heaven Media zh:Virdem Category:Virus Category:DOS virus Category:DOS Category:Virus from 1980s Category:First Category:Assembly